The National Security Agency (NSA) has published new guidance to help organizations incorporate software bills of materials (SBOMs) and mitigate supply chain risks.
In May 2021, the White House issued a cybersecurity executive order, mandating the use of SBOMs for transparency and cyber risk mitigation, as they would provide a complete picture of software components, including open source software, and their relationships.
The NSA guidance (PDF) follows previous recommendations that the US government has provided on SBOMs and is meant to help organizations improve SBOM management by following three steps: cyber risk analysis, vulnerability analysis, and incident response.
The agency recommends that software suppliers mature their SBOM exchange practices, that both private and government organizations expand their SBOM research to help standardize solutions, and that software developers take ownership of customer security outcomes.
“SBOMs and SBOM management tools play a part in enforcing the requirement to make software secure by design as they provide a mechanism to determine software component risk and establish a level of confidence in the software’s freedom from vulnerabilities,” the NSA notes.
Software consumers, the NSA says, should leverage available government resources to ensure they acquire secure software.
National Security System (NSS) owners are advised to develop and require software component information containing details on each software component, identification of all software dependencies, a container manifest for software with container components, digital signatures or authentication for component validation, SBOMs generated using source code for NSS-related software specifically developed under contract, the completeness of SBOMs for all software, limited rights to reverse-engineer software for validation purposes, and contract metrics for tracking and assessment.
NSA’s guidance also recommends a series of best practices for NSS owners and shares details on the functionality that organizations should look for when considering SBOM management tools.
“As software bills of materials become more integral to cybersecurity supply chain risk management standards, best practices will become critical to ensuring efficiency and reliability of the software supply chain. These guidelines provide the information [network owners and operators] need to select the appropriate tools to reduce an organization’s overall risk exposure,” NSA cybersecurity director Rob Joyce said.
Related: SBOMs – Software Supply Chain Security’s Future or Fantasy?
Related: The SBOM Bombshell
Related: New SBOM Hub Helps All Stakeholders in Software Distribution Chain
